New Web Threats Imperil OS, Other Apps

Researchers at IBM have released proof-of-concept code for a new generation of Web threats that can attack the underlying operating system as well as other applications running on the compromised Web server. Called cross-environment hopping (CEH) by IBM, the attack uses any cross-site scripting vulnerability in the Web application to jump (or “hop”) to another environment running on that same machine.

The concept of CEH itself isn’t brand new, but IBM researchers today provided details of new forms of this type of attack. Among the new techniques they discovered are the breach of sensitive data located on non-Web apps via ActiveX implementations of XML HTTP requests, and exploiting a local proxy server to attack other services in the victim’s local network. The researchers say that in some cases, an attacker could even access network share drives, remote procedure calls, intranet mail, SQL servers, and other local services as well.

Yair Amit, senior security researcher with IBM Rational, says CEH is different from the well publicized DNS pinning attack because it doesn’t exploit a browser or browser plug-in vulnerability. Amit says a CEH attack also is interesting in that the malicious actions aren’t executed by the attacker’s computer, but by the victim’s own system on itself. “Attacks come from the inside, not the outside, which is interesting,” Amit says. “Firewalls are not able to properly protect a victim from this kind of attack.” (See Old Flaw Threatens Web 2.0 and What DNS Pinning Means to You.)

Dan Kaminsky, who pioneered much of the DNS pinning research, says the IBM research has some “cool” finds. “What's interesting here is their observation that we may see multiple locally running servers on the same host, and if you can attack one of them, you can bounce off of it to attack any of them,” says Kaminsky, who is director of penetration testing for IOActive. “This is actually pretty cool. You'd never let anyone else's code run on a server you put up on the Internet, because obviously it could maliciously interact with yours. However, nobody's seen a problem putting multiple mutually distrusting Web servers on people's desktops.”

How can you defend against a CEH attack? The researchers recommend that browser and plug-in software vendors restrict crossing ports on the local host, only with the consent of the user, and that the client machine avoid installing software other than the Web app on the server. “The... restrictions in place on the local computer are not sufficient to prevent environment hopping from a vulnerable web application to other applications (not only web applications) that are running as a server,” the researchers wrote in a blog post today.

Web app developers, meanwhile, should emphasize security in their apps, and antivirus and firewall vendors should consider preventing socket and HTTP connections among Web apps and different ports on the local machine, according to the IBM researchers.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.